Steam Users Targeted by Phishers

A phishing campaign that started around the beginning of the year, targeting gamers who use Valve Software’s Steam network, continues unabated but with a twist: The phishers have registered dozens of domain names, such as trial-steam.tk or steamcommunity###.tk (where the ### can be a two or three digit number), which are used to host the phishing pages. The pages appear to be a “Steam Community” login page which looks identical to Valve’s Steam Community Web site.

There are a few ways you can quickly identify whether you’re on the right page, or a fake. For one, the real Steam Community page is a secure HTTP page, so you should see the “https” in the address bar, and the lock icon in the corner of the browser window. By clicking on this icon, you can view the valid security certificate information, which clearly shows that the site is owned by Valve.

Another way you can tell that you’re on the correct Steam login page is to try using the “Select your preferred language” dropdown at the top of the window to change to any language other than English. If you’re on Steam’s page, the language will change; If you’re on the phisher’s page, it simply refreshes and remains set to English, no matter which language you pick. Also, the real Steam page features a cartoony graphic of “players” chatting amongst themselves which changes periodically. The phishers’ pages always have the same static graphic, shown above.

Read on for some additional details.

As a tease, they don’t get any more conventional than this one: The text at the top of the phishing page implores visitors that “Now, and for the last 0.3 minutes (sic), you can test Killingfloor for free in the steamshop!” Presumably, this 20-second window of opportunity is intended to spur gamers into rapidly, and without thinking, enter their credentials into the form on the page.

The various domains are essentially a placeholder for a full-window iframe; The actual malicious pages are being hosted at a variety of free Web hosting services. As quickly as the free pages are being pulled down, the phishers are throwing new ones up elsewhere. Webroot is working with the Web hosting providers and domain registrars to get the entire batch shut down quickly.